No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Unlinkable and Strongly Accountable Sanitizable Signatures from Verifiable Ring Signatures: 16th International Conference, CANS 2017, Hong Kong, China, November 30—December 2, 2017, Revised Selected Papers
Abstract
An Unlinkable Sanitizable Signature scheme (USS) allows a sanitizer to modify some parts of a signed message in such away that nobody can link the modified signature to the original one. A Verifiable Ring Signature scheme (VRS) allows the users to sign messages anonymously within a group where a user can prove a posteriori to a verifier that it is the author of a given signature. In this paper, we first revisit the notion of VRS: we improve the proof capabilities of the users, we give a complete security model for VRS and we give an efficient and secure scheme called . Our main contribution is , a Generic USS based on a VRS scheme and an unforgeable signature scheme. We show that instantiated with and Schnorr’s signature is twice as efficient as the best USS scheme of the literature. Moreover, we propose a stronger definition of accountability: an USS is accountable when the signer can prove whether a signature is sanitized. We formally define the notion of strong accountability where the sanitizer can also prove the origin of a signature. We show that the notion of strong accountability is important in practice. Finally, we prove the security properties of (including strong accountability) and under the Decisional Diffie-Hellman (DDH) assumption in the random oracle model.
Many sanitizable signature schemes have been proposed to facilitate and secure the secondary use of medical data. These schemes allow a patient, authorized by the doctor, to modify and re-sign his/her electronic health record (EHR) to hide sensitive information and the new signature can be verified successfully. However, this may lead to fraud because patients may forge medical records for profit. To further standardize sanitization and reduce the sanitizers power, this paper proposes a new limited sanitizable signature scheme, which allows the signer to not only decide which message blocks can be modified but also determine the maximum of modifiable blocks and the expiration time for sanitization. We also propose a secure EHR sharing scheme suitable for medical scenarios based on the above limited sanitizable signature to realize privacy preserving medical data sharing. Finally, the security analysis and experimental results show that the security and efficiency of our scheme can be accepted.
The emergence of blockchain decentralization has garnered considerable interest from the scientific and scholarly communities since it addresses scalability issues and provides security for its users. Since its inception, numerous encryption methods have adopted its methodology to develop medically applicable schemes. However, most proposed schemes involve time-consuming operations, while others rely on standard pairing libraries. Both approaches cause complexity delays, affecting the blockchain’s execution speed. In the case of blockchain digital signatures, participants’ cryptographic keys are tied to their assets instead of their identities. This contradicts the non-repudiation feature of public key digital signatures. Therefore, this article proposes a lightweight hybrid encryption protocol employing the key encapsulation technique to generate encapsulated keys for blockchain network participants. The proposed method allows users to generate encapsulated keys linked to their identities. In order to increase the speed of cryptographic execution on the blockchain, we evaluate the computational overhead of the proposed model using the pairing Ethereum library (Py-eth library). In addition, the Ethereum Improvement Proposals (EIPs) library measures the consumption of gas costs on the blockchain. Our performance analysis demonstrates that the proposed protocol achieves a lower computational cost with less gas consumption, accelerating blockchain transaction executions.
Sanitizable signcryption adds sanitization functionality to signcryption, such that a delegated sanitizer can modify a signcryptext and still derive a valid signcryptext without cooperation of the original sender. Sanitizable signcryption is useful for data sharing with authentication and access control. Existing sanitizable signcryption scheme cannot achieve public verifiability, which can prevent malicious senders or sanitizers from cheating the receivers. In order to realize public verifiability, we propose a new composition method called “Encrypt-then-Commit-then-Sign (EtCtS)”. In particular, our method carefully embeds a key-exposure free chameleon hash function (also known as trapdoor commitment) between encryption and signing operations. Accordingly, we convert the sanitization operation into finding collisions in the key-exposure free chameleon hash function using the trapdoor key, and after sanitization the plaintext is still confidential to the sanitizer. Based on the EtCtS method, we construct the first sanitizable signcryption scheme that is public verifiable. We give a rigorous security proof of our scheme in the random oracle model. We also provide an implementation of our scheme for performance analysis.
Sanitizable signatures (SaS) allow a (single) sanitizer, chosen by the signer, to modify and re-sign a message in a somewhat controlled way, that is, only editing parts (or blocks) of the message that are admissible for modification. This primitive is an efficient tool, with many formally defined security properties, such as unlinkability, transparency, immutability, invisibility, and unforgeability. An SaS scheme that satisfies these properties can be a great asset to the privacy of any field it will be applied to, e.g., anonymizing medical files. In this work, we look at the notion of γ-sanitizable signatures (γSaS): we take the sanitizable signatures one step further by allowing the signer to not only decide which blocks can be modified, but also how many of them at most can be modified within a single sanitization, setting a limit, denoted with γ. We adapt the security properties listed above to γSaS and propose our own scheme, ULISS (Unlinkable Limited Invisible Sanitizable Signature), then show that it verifies these properties. This extension of SaS can not only improve current use cases, but also introduce new ones, e.g., restricting the number of changes in a document within a certain timeframe.
Aiming at the requirement of anonymous supervision of digital certificates in blockchain public key infrastructure (PKI), this paper proposes a ring signature with multiple indirect verifications (RS-MIV). This mechanism can ensure multiple and indirect verification of certificate signer identity while preserving its anonymity. On this basis, a supervisable anonymous management scheme was designed based on smart contracts, which realizes the anonymity of certificate authority nodes, the anonymous issuance of digital certificates, the anonymous verification of digital certificates, and the traceability of illegal certificate issuers in the blockchain PKI. It is proved that the scheme can guarantee the anonymity and traceability of the certificate issuer’s identity at an acceptable cost.
Sanitizable signatures are a variant of signatures which allow a single, and signer-defined, sanitizer to modify signed messages in a controlled way without invalidating the respective signature. They turned out to be a versatile primitive, proven by different variants and extensions, e.g., allowing multiple sanitizers or adding new sanitizers one- by-one. However, existing constructions are very restricted regarding their flexibility in specifying potential sanitizers. We propose a different and more powerful approach: Instead of using sanitizers’ public keys directly, we assign attributes to them. Sanitizing is then based on policies, i.e., access structures defined over attributes. A sanitizer can sanitize, if, and only if, it holds a secret key to attributes satisfying the policy associated to a signature, while offering full-scale accountability.
Trick-Taking Games (TTGs) are card games in which each player plays one of his cards in turn according to a given rule. The player with the highest card then wins the trick, i.e., he gets all the cards that have been played during the round. For instance, Spades is a famous TTG proposed by online casinos, where each player must play a card that follows the leading suit when it is possible. Otherwise, he can play any of his cards. In such a game, a dishonest user can play a wrong card even if he has cards of the leading suit. Since his other cards are hidden, there is no way to detect the cheat. Hence, the other players realize the problem later, i.e., when the cheater plays a card that he is not supposed to have. In this case, the game is biased and is canceled. Our goal is to design protocols that prevent such a cheat for TTGs. We give a security model for secure Spades protocols, and we design a scheme called SecureSpades. This scheme is secure under the Decisional Diffie-Hellman assumption in the random oracle model. Our model and our scheme can be extended to several other TTGs, such as Belotte, Whist, Bridge, etc.
Sanitizable signatures allow designated parties (the sanitizers) to apply arbitrary modifications to some restricted parts of signed messages. A secure scheme should not only be unforgeable, but also protect privacy and hold both the signer and the sanitizer accountable. Two important security properties that are seemingly difficult to achieve simultaneously and efficiently are invisibility and unlinkability. While invisibility ensures that the admissible modifications are hidden from external parties, unlinkability says that sanitized signatures cannot be linked to their sources. Achieving both properties simultaneously is crucial for applications where sensitive personal data is signed with respect to data-dependent admissible modifications. The existence of an efficient construction achieving both properties was recently posed as an open question by Camenisch et al. (PKC’17). In this work, we propose a solution to this problem with a two-step construction. First, we construct (non-accountable) invisible and unlinkable sanitizable signatures from signatures on equivalence classes and other basic primitives. Second, we put forth a generic transformation using verifiable ring signatures to turn any non-accountable sanitizable signature into an accountable one while preserving all other properties. When instantiating in the generic group and random oracle model, the efficiency of our construction is comparable to that of prior constructions, while providing stronger security guarantees.
We introduce a verifiable ring signature that not only has all the properties of a ring signature, but also the following property: if the actual signer is willing to prove to the verifier that he actually signs the signature, then the verifier can correctly determine whether he is the actual signer among the possible signers.
Sanitizable signatures allow a signer of a message to give one specific receiver, called a sanitizer, the power to modify some designated parts of the signed message. Most of the existing constructions consider one single signer giving such a possibility to one single sanitizer. In this paper, we formalize the concept with n signers and m sanitizers, taking into account recent models (for 1 signer and 1 sanitizer) on the subject. We next give a generic construction based on the use of both group signatures and a new cryptographic building block, called a trapdoor or proof, that may be of independent interest.
Suppose we are given a proof of knowledge
\mathcal{P}
in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing
scheme
\mathcal{S}
on n participants. Then under certain assumptions on
\mathcal{P}
and
\mathcal{S}
, we show how to transform
\mathcal{P}
into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets defined by
\mathcal{S}
. For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, we get a witness hiding protocol, even if
\mathcal{P}
did not have this property. Our results can be used to efficiently implement general forms of group oriented identification
and signatures. Our transformation produces a protocol with the same number of rounds as
\mathcal{P}
and communication complexity n times that of
\mathcal{P}
. Our results use no unproven complexity assumptions.
Motivated by emerging needs in online interactions, we define a new type of digital signature called a ‘Content Extraction
Signature’ (CES). A CES allows the owner, Bob, of a document signed by Alice, to produce an ‘extracted signature’ on selected
extracted portions of the original document, which can be verified (to originate from Alice) by any third party Cathy, without
knowledge of the unextracted (removed) document portions. The new signature therefore achieves verifiable content extraction
with minimal multi-party interaction. We specify desirable functional and security requirements from a CES (including an efficiency
requirement: a CES should be more efficient in either computation or communication than the simple multiple signature solution).
We propose and analyse four provably secure CES constructions which satisfy our requirements, and evaluate their performance
characteristics.
Kundu and Bertino (VLDB 2008) recently introduced the idea of structural signatures for trees which support public redaction of subtrees (by third-party distributors) while pertaining the integrity of the remaining parts. An example is given by signed XML documents of which parts should be sanitized before being published by a distributor not holding the signing key. Kundu and Bertino also provide a construction, but fall short of providing formal security definitions and proofs. Here we revisit their work and give rigorous security models for the redactable signatures for tree-structured data, relate the notions, and give a construction that can be proven secure under standard cryptographic assumptions.
Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S , we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to a subset of n problem instances corresponding to a qualified set of participants. For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, this can lead to witness hiding protocols, even if P did not have this property. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P . Our results use no unproven complexity assumptions. AMS Subject Classification (1991): 94A60 CR Subject Classification (1991): D.4.6 Ke...
Sanitizable signature schemes allow a semi-trusted entity to modify some specific portions of a signed message while keeping
a valid signature of the original off-line signer. In this paper, we give a new secure sanitizable signature scheme which
is, to the best of our knowledge, the most efficient construction with such a high level of security. We also enhance the
Brzuska et al. model on sanitizable signature schemes by adding new features. We thus model the way to limit the set of possible modifications
on a single block, the way to force the same modifications on different admissible blocks, and the way to limit both the number
of modifications of admissible blocks and the number of versions of a signed message. We finally present two cryptanalysis
on proposals for two of these features due to Klonowski and Lauks at ICISC 2006 and propose some new practical constructions
for two of them.
Sanitizable signatures allow a designated party, called the sanitizer, to modify parts of signed data such that the immutable
parts can still be verified with respect to the original signer. Ateniese et al. (ESORICS 2005) discuss five security properties
for such signature schemes: unforgeability, immutability, privacy, transparency and accountability. These notions have been
formalized in a recent work by Brzuska et al. (PKC 2009), discussing also the relationships among the security notions. In
addition, they prove a modification of the scheme of Ateniese et al. to be secure according to these notions.
Here we discuss that a sixth property of sanitizable signature schemes may be desirable: unlinkability. Basically, this property
prevents that one can link sanitized message-signature pairs of the same document, thus allowing to deduce combined information
about the original document. We show that this notion implies privacy, the inability to recover the original data of sanitized
parts, but is not implied by any of the other five notions. We also discuss a scheme based on group signatures meeting all
six security properties.
Sanitizable signature schemes, as defined by Ateniese et al. (ESORICS 2005), allow a signer to partly delegate signing rights to another party, called the sanitizer. That is, the sanitizer is able to modify a predetermined part of the original message such that the integrity and authenticity of the unchanged part is still verifiable. Ateniese et al. identify five security requirements for such schemes (unforgeability, immutability, privacy, transparency and accountability) but do not provide formal specifications for these properties. They also present a scheme that is supposed to satisfy these requirements.
Here we revisit the security requirements for sanitizable signatures and, for the first time, present a comprehensive formal treatment. Besides a full characterization of the requirements we also investigate the relationship of the properties, showing for example that unforgeability follows from accountability. We then provide a full security proof for a modification of the original scheme according to our model.
We define a general model for consecutive delegations of signing rights with the following properties: The delegatee actually
signing and all intermediate delegators remain anonymous. As for group signatures, in case of misuse, a special authority
can open signatures to reveal the chain of delegations and the signer’s identity. The scheme satisfies a strong notion of non-frameability
generalizing the one for dynamic group signatures. We give formal definitions of security and show them to be satisfiable
by constructing an instantiation proven secure under general assumptions in the standard model. Our primitive is a proper
generalization of both group signatures and proxy signatures and can be regarded as non-frameable dynamic hierarchical group
signatures.
We introduce the notion of sanitizable signatures that oer many attractive security features for certain current and emerging appli- cations. A sanitizable signature allows authorized semi-trusted censors to modify - in a limited and controlled fashion - parts of a signed message without interacting with the original signer. We present constructions for this new primitive, based on standard signature schemes and secure un- der common cryptographic assumptions. We also provide experimental measurements for the implementation of a sanitizable signature scheme and demonstrate its practicality.
In this paper we describe simple identification and signature schemes which enable any user to prove his identity and the authenticity of his messages to any other user without shared or public keys. The schemes are provably secure against any known or chosen message attack ff factoring is difficult, and typical implementations require only 1% to 4% of the number of modular multiplications required by the RSA scheme. Due to their simplicity, security and speed, these schemes are ideally suited for microprocessor-based devices such as smart cards, personal computers, and remote control system.q.
The notion of a “proof of knowledge,” suggested by Goldwasser, Micali and Rackoff, has been used in many works as a tool for the construction of cryptographic protocols and other schemes. Yet the commonly cited formalizations of this notion are unsatisfactory and in particular inadequate for some of the applications in which they are used. Consequently, new researchers keep getting misled by existing literature. The purpose of this paper is to indicate the source of these problems and suggest a definition which resolves them.
In a sanitizable signature scheme the signer allows a designated third party, called the sanitizer, to modify certain parts of the message and adapt the signature accordingly. Ateniese et al. (ESORICS 2005) introduced this primitive and proposed five security properties which were formalized by Brzuska et al. (PKC 2009). Subsequently, Brzuska et al. (PKC 2010) suggested an additional security notion, called unlinkability which says that one cannot link sanitized message-signature pairs of the same document. Moreover, the authors gave a generic construction based on group signatures that have a certain structure. However, the special structure required from the group signature scheme only allows for inefficient instantiations.
Here, we present the first efficient instantiation of unlinkable sanitizable signatures. Our construction is based on a novel type of signature schemes with re-randomizable keys. Intuitively, this property allows to re-randomize both the signing and the verification key separately but consistently. This allows us to sign the message with a re-randomized key and to prove in zero-knowledge that the derived key originates from either the signer or the sanitizer. We instantiate this generic idea with Schnorr signatures and efficient -protocols, which we convert into non-interactive zero-knowledge proofs via the Fiat-Shamir transformation. Our construction is at least one order of magnitude faster than instantiating the generic scheme of Brzuska et al. with the most efficient group signature schemes.
Sanitizable signatures, introduced by Ateniese et al. (ESORICS ’05), allow the signer to delegate the sanitization right of signed messages. The sanitizer can modify the message and update the signature accordingly, so that the sanitized part of the message is kept private. For stronger protection of sensitive information, it is desirable that no one can link sanitized message-signature pairs of the same document. This idea was formalized by Brzuska et al. (PKC ’10) as unlinkability, which was followed up recently by Fleischhacker et al. (PKC ’16). Unfortunately, these generic constructions of sanitizable signatures, unlinkable or not, are based on building blocks with specially crafted features which efficient (standard model) instantiations are absent. Basing on existing primitives or a conceptually simple primitive is more desirable.
In this work, we present two such generic constructions, leading to efficient instantiations in the standard model. The first one is based on rerandomizable tagging, a new primitive which may find independent interests. It captures the core accountability mechanism of sanitizable signatures. The second one is based on accountable ring signatures (CARDIS ’04, ESORICS ’15). As an intermediate result, we propose the first accountable ring signature scheme in the standard model.
Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group signatures, ring signatures are completely "ad-hoc" and do not require any central authority or coordination among the various users (indeed, users do not even need to be aware of each other); furthermore, ring signature schemes grant users fine-grained control over the level of anonymity associated with any particular signature. This paper has two main areas of focus. First, we examine previous definitions of security for ring signature schemes and suggest that most of these prior definitions are too weak, in the sense that they do not take into account certain realistic attacks. We propose new definitions of anonymity and unforgeability which address these threats, and then give separation results proving that our new notions are strictly stronger than previous ones. Next, we show two constructions of ring signature schemes in the standard model: one based on generic assumptions which satisfies our strongest definitions of security, and a second, more efficient scheme achieving weaker security guarantees and more limited functionality. These are the first constructions of ring signature schemes that do not rely on random oracles or ideal ciphers.
Sanitizable signatures allow for controlled modification of signed data. The essential security requirements are accountability, privacy and unlinkability. Unlinkability is a strong notion of privacy. Namely, it makes it hard to link two sanitized messages that were derived from the same message-signature pair. In this work, we strengthen the standard unlinkability definition by Brzuska et al. at PKC ’10, making it robust against malicious or buggy signers. While state-of-the art schemes deploy costly group signatures to achieve unlinkability, our construction uses standard digital signatures, which makes them compatible with existing infrastructure.
We construct a sanitizable signature scheme that satisfies the strong notion of perfect unlinkability and, simultaneously, achieves the strongest notion of accountability, i.e., non-interactive public accountability. Our construction is not only legally compliant, but also highly efficient, as the measurements of our reference implementation show. Finally, we revisit the security model by Canard et al. and correct a small flaw in their security definition given at AfricaCrypt ’12.
Sanitizable signatures enable a designated party to modify signed documents in a controlled way, while the derived signature still verifies. In this paper, we introduce the notion of non-interactive and public accountability. It allows a third party to determine whether a message-signature pair was issued by the signer or the sanitizer. The orig-inal notion of accountability does not satisfy European legal standards, while non-interactive public accountability does. A contradictory secu-rity goal is the indistinguishability of message-signature pairs from the signer and the sanitizer, a.k.a. transparency. As state-of-the-art schemes often satisfy transparency, they can only achieve a weaker notion of ac-countability. We show that non-interactive public accountability does not contradict privacy by proving that an existing scheme by Brzuska et al.(BIOSIG '09) satisfies both notions. We then extend the scheme to also satisfy blockwise public accountability. Overall, for e-business applications within the EU, opting for non-interactive public accountability can be preferable over transparency.
The ring signature scheme is an important cryptographic primitive that enables a user to sign a message on behalf of a group in authentic and anonymous way, i.e. the recipient of the message is convinced that the message is valid and it comes from one of the group members, but does not know who the actual signer is. Currently, all the existing ring signatures are based on traditional cryptosystems. However, the rapid advances in the field of quantum computing indicate a growing threat to traditional cryptosystems. Multivariate public key cryptosystems (MPKCs) is one of the promising alternatives which may resist future quantum computing attacks. In this work, we propose a novel ring signature scheme based on multivariate polynomials with the security model for the first time. Our ring signature scheme has a great advantage in efficiency compared to many existing ring signature schemes, and currently it seems to be immune to quantum computing attacks.
In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature.Unlike
group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination:any
user can choose any set of possible signers that includes himself,and sign any message by using his secret key and the others’
public keys,without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritativ secrets
in an anonymous way, to sign casual email in a way which can only be verified by its intended recipient, and to solve other
problems in multiparty computations. The main contribution of this paper is a new construction of such signatures which is
unconditionally signer-ambiguous, provably secure in the random oracle model,and exceptionally efficient:adding each ring
member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption.
Privacy homomorphisms, encryption schemes that are also homomorphisms relative to some binary operation, have been studied
for some time, but one may also consider the analogous problem of homomorphic signature schemes. In this paper we introduce
basic definitions of security for homomorphic signature systems, motivate the inquiry with example applications, and describe
several schemes that are homomorphic with respect to useful binary operations. In particular, we describe a scheme that allows
a signature holder to construct the signature on an arbitrarily redacted submessage of the originally signed message. We present
another scheme for signing sets that is homomorphic with respect to both union and taking subsets. Finally, we show that any
signature scheme that is homomorphic with respect to integer addition must be insecure.
Previously there have been essentially only two models for computers that people can use to handle ordinary consumer transactions:
(1) the tamper-proof module, such as a smart card, that the person cannot modify or probe; and (2) the personal workstation
whose inner working is totally under control of the individual. The first part of this article argues that a particular combination
of these two kinds of mechanism can overcome the limitations of each alone, providing both security and correctness for organizations
as well as privacy and even anonymity for individuals.
Then it is shown how this combined device, called a wallet, can carry a database containing personal information. The construction
presented ensures that no single part of the device (i.e. neither the tamper-proof part nor the workstation) can learn the
contents of the database — this information can only be recovered by the two parts together.
We present an efficient interactive identification scheme and a related signature scheme that are based on discrete logarithms
and which are particularly suited for smart cards. Previous cryptoschemes, based on the discrete logarithm, have been proposed
by El Gamal (1985), Chaum, Evertse, Graaf (1988), Beth (1988) and Günter (1989). The new scheme comprises the following novel
features.
In this paper, we introduce the notion of event-oriented k-times revocable if and only if linked group signatures (k-EoRiffL group signatures). In k-EoRiffL group signatures, signers can sign on behalf of a group anonymously and unlinkably up to a permitted number of times
(k) per event. No party, even the group manager, can revoke the anonymity of the signer. On the other hand, everyone can identify the signer
if he signs more than k times for a particular event. We then show that k-EoRiffL group signatures can be used for k-times anonymous authentication(k-TAA), compact e-cash, e-voting, etc.
We formally define security model for the new notion and propose constant-size construction, that is, size of our construction
is independent of the size of the group and the number of permitted usage k. Our construction is secure based on the q-strong Diffie-Hellman assumption and the y-DDHI assumption.
Keywordsevent-oriented-revocable anonymity-group signature-
k-TAA
Ring signature is proved very useful in various applications for its perfect properties. However, the existing schemes based on the discrete logarithm are not perfect in signature and signer verification. In this paper, we introduce a new verifiable ring signature scheme based on Nyberg-Rueppel signature. The scheme realizes the ring signature using the hash functioning merely, which can verify the actual signer besides satisfying the basic properties of ring signature: unconditional anonymity and non-forgeability. The comparison shows that our signature scheme is of less size of signature and computation, and the signer verification is more simple and easy to understand
A group signature scheme allows group members to issue signatures on behalf of the group, while hiding for each signature which group member actually issued it. Such scheme also involves a group manager, who is able to open any group signature by showing which group member issued it.We introduce the concept of list signatures as a variant of group signatures which sets a limit on the number of signatures each group member may issue. These limits must be enforced without having the group manager open signatures of honest group members—which excludes the trivial solution in which the group manager opens every signature to see whether some group members exceed their limits. Furthermore, we consider the problem of publicly identifying group members who exceed their limits, also without involving the group manager.
We present the notion of anonymizable signature, which is an extension of the ring signature [RST01, BKM06]. By using an anonymizable signature, anyone who has a signed message can convert the signature into an anonymous signature. In other words, one can leave a signed message with an appropriate agent who will later anonymize the signature.
A relinkable ring signature [SHK09] is also an extension of the ring signature by which the ring forming ability can be separated from the signing ability. In the relinkable ring signature, an agent who has a special key given by the signer can modify the membership of existing ring signatures. However, the relinkable ring signature has two problematic limitations; a signer cannot select an agent according to the worth of the signature, because there exists the unique key to modify the membership for each public key, and we cannot achieve perfect anonymity even if the agent is honest.
The proposed anonymizable signature can free one from these limitations. In the anonymizable signature scheme, each signature can be anonymized without any secret but the signature itself. Thus, the signer can delegate signature anonymization to multiple agents signature by signature. Moreover, the anonymizable signature can guarantee unconditional anonymity and be used for anonymity-sensitive purposes, e.g., voting. After providing the definition of the anonymizable signature, we also give a simple construction methodology and a concrete scheme that satisfies perfect anonymity and computational unforgeability under the gap Diffie-Hellman assumption with the random oracle model.
Previously there have been essentially only two models for computers that people can use to handle ordinary consumer transactions: (1) the tamper-proof module, such as a smart card, that the person cannot modify or probe: and (2) the personal workstation whose inner working is totally under control of the individual. The first part of this article argues that a particular combination of these two kinds of mechanism can overcome the limitations of each alone, providing both security and correctness for organizations as well as privacy and even anonymity for individuals.Then it is shown how this combined device, called a wallet, ran carry a database containing personal information. The construction presented ensures that no single part of the device (i.e. neither the tamper-proof part nor the workstation) can learn the contents of the database -- this information can only be recovered by the two parts together.
In a traditional signature scheme, a signature σ on a message m is issued under a public key PK, and can be interpreted as follows: “The owner of the public key PK and its corresponding secret key has signed message m.” In this paper we consider schemes that allow one to issue signatures on behalf of any NP statement, that can be interpreted as follows: “A person in possession of a witness w to the statement that x ∈L has signed message m.” We refer to such schemes as signatures of knowledge.
We formally define the notion of a signature of knowledge. We begin by extending the traditional definition of digital signature schemes, captured by Canetti’s ideal signing functionality, to the case of signatures of knowledge. We then give an alternative definition in terms of games that also seems to capture the necessary properties one may expect from a signature of knowledge. We then gain additional confidence in our two definitions by proving them equivalent.
We construct signatures of knowledge under standard complexity assumptions in the common-random-string model.
We then extend our definition to allow signatures of knowledge to be nested i.e., a signature of knowledge (or another accepting input to a UC-realizable ideal functionality) can itself serve as a witness for another signature of knowledge. Thus, as a corollary, we obtain the first delegatable anonymous credential system, i.e., a system in which one can use one’s anonymous credentials as a secret key for issuing anonymous credentials to others.
A ring signature scheme enables a signer to produce a signature without revealing their identity. A verifier can verify that the ring signature was made by a ring member, but cannot identify the real signer. A convertible ring signature scheme is proposed that allows the real signer to convert a ring signature into an ordinary signature by revealing secret information about the ring signature. Thus the real signer can prove the ownership of a ring signature if necessary.
The Decision Diffie-Hellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the Diffie-Hellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the Diffie-Hellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational Diffie-Hellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sec...
Unlinkable and strongly accountable sanitizable signatures from verifiable ring signatures. Cryptology ePrint Archive
- X Bultel
- P Lafourcade